Connecting the New World with the Old World via Commerce and Dialog

Tag: Chinese hackers

A group of cybercriminals has breached and mapped the global banking system, and in a series of attacks has so far stolen $81 million from the central bank of Bangladesh. Experts believe the attacks were done through a vulnerability in the SWIFT banking system, which connects 11,000 financial institutions around the world.
Investigations into the ongoing attacks are still underway, and related attacks on other banks are still being uncovered. Some experts are pinning the attack on hackers from North Korea, since the tools they used share similarities to the November 2014 hack of Sony Pictures Entertainment.
According to an insider with direct knowledge of the recent attacks, however, the culprit behind the digital bank robberies is much larger. The insider requested to remain anonymous due to security concerns, and was able to provide evidence to support his claims.
A screenshot provided to Epoch Times showing the security certificate of a Mexico-owned bank money transfer network being exfiltrated. Hackers can use the certificate to send communications through the company’s networks, which its recipients would automatically validate. (Epoch Times)
A screenshot provided to Epoch Times showing the security certificate of a Mexico-owned bank money transfer network being exfiltrated. Hackers can use the certificate to send communications through the company’s networks, which its recipients would automatically validate. (Epoch Times)
Chinese state hackers identified the initial vulnerability, and used it to infiltrate and infect the global financial system, according to the insider. When their contract ended with the Chinese regime last year, they sold the vulnerability to cybercrime groups on a private marketplace in the darknet in an attempt to thwart detection, he said. The darknet is an alternate internet that is only accessible using specialized software. While the darknet has legitimate uses, criminal groups buy, sell, and conspire on darknet forums.
The Chinese regime runs a large network of hackers under the General Staff Department, Third Department, of its military. These hackers carry out orders from the Chinese regime, and also often run additional operations or sell data on the side for personal financial gain. Epoch Times exposed this system in a previous investigative series.
Read MoreMurder, Money, and Spies Investigative Series
The cybercrime groups who purchased the vulnerability are allegedly those carrying out the current attacks and illegal money transfers.
“The Chinese have already gained permanent access to the target financial networks and exfiltrated all the data they wanted for the contract for their sponsor” the insider said. “Now they have this vulnerability they can continue to monetize, so now they’re selling it to criminal networks.”
Process of the Breach
The code used in the vulnerability pulled from multiple places, which could also mean researchers just looking at the breach from the surface may draw false conclusions. He said some of the code was developed in-house by the Chinese hackers, but they also purchased some of the code from Russian universities.
The insider said the Chinese hackers didn’t sell the vulnerability to any specific cybercrime group either. “They’ll sell one bank to one group,” he said, and noted most of the hackers carrying out the current attacks are comparatively low-skilled. “They’re not coders,” he said. “They just know how to release packages and deploy them.”
The insider was able to provide forensic data and screenshots that support the claims. The insider was also able to provide a list of targeted banks, which he noted is growing, and which includes a long list of banks and financial systems that are connected to a compromised banking partner network—including several in the United States, Latin America, and Asia.
The Chinese state hackers started their attacks on the bank networks as early as 2006, according to the insider, and began uploading malware to the bank networks in 2013.
Read MoreChinese General Says ‘Contain the United States’ by Attacking Its Finances
While the breach of SWIFT has been made public, he said, the Chinese hackers also breached a money transfer network which is run by a Mexico-owned bank based in New Jersey.
“Basically, Mexico’s critical infrastructure is owned by the same APT group,” he said, using “APT” or “advanced persistent threat,” to refer to the Chinese state hackers. “They’re in everything down there,” the insider said, referring to the level of access the Chinese state hackers have gained over critical networks in Mexico.
A post on a cybercrime darknet forum offers access to Mexican government networks, stating the entry is “ideal for cyberspy.” (Screenshot was provided to Epoch Times by an insider)
A post on a cybercrime darknet forum offers access to more than 150,000,000 sensitive files from Mexican government networks, stating “information is complete country.” (Screenshot was provided to Epoch Times by an insider)
A post on a cybercrime darknet forum sells access to “all information” on Mexico, noting it contains a new method to breach networks, and includes “bigs company” in the financial sector. (Screenshot was provided to Epoch Times by an insider)
It wasn’t until around June 2015 that the Chinese state hackers sold the vulnerability to cybercrime organizations, and these organizations immediately used it to begin mapping, testing, and infecting banks and financial systems.
The insider said the hackers exploited a vulnerability in the code used to build web applications named Apache Struts V2. It was vulnerable as early as 2006 and was patched in 2013. He also noted that after gaining access, the hackers have since traversed numerous additional financial networks they’re targeting.
While the Chinese state hackers sold access to the bank networks, the source noted the hackers had been mapping and infecting the global banking system over the last eight years.
When they decided to sell the vulnerability, they did not forfeit their access to the networks. By the time they sold it, the insider said, it had already served its purpose. In other words, the Chinese state hackers still have access to the networks—and not just to a few banks, but instead most of the global banking system.
The insider speculated that the Chinese state hackers are selling the original vulnerability both for profit, and to use the cybercriminal gang as a deliberate distraction from their higher-level breaches. He went on to

This news summary was originally dispatched as part of Epoch Times China email newsletters. Subscribe to the newsletters by filling your email in the “China D-brief” box under this article, or sign up here.
One of the most important developments in recent history for China’s military took place last month, and it was easy to miss.
The Chinese Communist Party (CCP) ordered its military to abandon its business ventures over the next three years. The order applies to the People’s Liberation Army and the People’s Armed Police.
Those who follow Epoch Times reporting know the implications of this run deep. As my colleague Matthew Robertson pointed out, this will notably close the military-run hospitals which carry out the CCP’s forced organ transplants of prisoners of conscience—most markedly Falun Gong practitioners.
Robertson profiled the operations of one of these hospitals, Tianjin First Central, in an investigative piece in February, and noted “Epoch Times found sufficient evidence to throw into great doubt, if not demolish entirely, the official narrative of organ sourcing in China. This is simply due to the number of transplants: they are far too high.”
But the implications of the new order for the Chinese military run deeper still, as the order will very likely also impact the Chinese military’s use of cyberattacks for financial gain.
I’m not talking about the state-sanctioned cyberattacks, but instead the cyberattacks military commanders run to feed business ventures they have ties to, and the cyberattacks individual military hackers carry out to stuff their own pockets.
I mapped out China’s military-industrial complex in a September 2015 investigative report, and noted that until recently the Chinese military was expected to find external ventures to fund its operations.
I also detailed in March the DarkNet marketplaces that Chinese military hackers run to make money on the side. The hackers have been carrying out the state-run cyberattacks on behalf of the Chinese regime, but have also been stealing additional information they can sell personally.
Under the new orders, it’s likely these external ventures will gradually lessen, and we could see a significant drop in Chinese cyberattacks.
Of course, this doesn’t mean the state-sponsored cyberattacks will stop. It just means the military-led cyberattacks the Chinese regime doesn’t have a direct hand in could be coming to an end.
This process has actually been underway for some time. In September 2015, the leader of the Chinese Communist Party, Xi Jinping, announced he would cut 300,000 troops from the Chinese military. This was accompanied by a planned restructuring of the Chinese military.
I reported in November 2015 that there was more to this restructuring than meets the eye. A proposal for the new structure shows that it would move the military units that carry out the cyberattacks out from under strict military control, and put them under joint command between the Central Military Commission and the State Council.
In other words, the restructuring would give the “government” side of the Chinese regime–the state council–more oversight over the types of cyberoperations being carried out by the military.
Read MoreAgreement on Cyberattacks Will Not Stop China’s Economic Theft
On May 16, the Chinese regime also deployed “anti-graft” squads to different theater commands and “key military departments,” according to the state-run Global Times. Under the oversight of these 10 anti-graft squads, it states, these targeted commands and departments will “for the first time be accountable to top military authorities.”
This won’t all happen overnight, however. The state-run China Daily reported on May 10 that the People’s Liberation Army and People’s Armed Police have started by selecting 17 units to close their commercial activities.
With plans to complete this process within three years, it notes the 17 units are “tasked with exploring effective ways to shut down businesses.”

The Chief Information Security Officer (CISO) for a firm that specializes in gaining intelligence on the criminal activities in the darkest corners of the Internet has revealed the existence of private marketplaces run by China’s cyberspies.
Ed Alexander is CISO for the California-based company DBI. In a phone interview, Alexander said these private marketplaces are where many of China’s state-sponsored hackers do their side work and sell stolen data to the highest bidders.
“Their primary allegiance is to China. Their secondary allegiance is to themselves,” said Ed Alexander, Chief Information Security Officer of DBI, in a phone interview.
DBI trains and manages darknet operatives-for-hire, who conduct human intelligence (HUMINT) operations on the Darknet, and Alexander oversees these world’s largest CyberHUMINT teams.
Contrary to reports saying China’s state-run hackers are clumsy and poorly skilled, Alexander said that in the 10 years since his deployment of cyberHUMINT operations, “these are the most sophisticated people I’ve seen.”
Even other nation-state hackers, such as those with the Syrian Electronic Army, he said, “[are] nowhere close to the sophistication of the Chinese.”
The Hidden Internet
There are two sides to the Internet. The part most of us use is called the “Clearnet” or the “Surface Net,” and includes all parts of the Internet that are searchable and readily accessible. The other part of the Internet is the “Deep Web,” which constitutes about 94 percent of the actual Internet and includes all the data that search engines can’t see.
Within the Deep Web, there are hidden websites that can only be accessed using specialized tools, such as The Onion Router (TOR) Web browser. This part of the Internet is called the Darknet, and while it has several benign websites, it is also home to digital black markets such as the “Silk Road,” which sells illegal drugs and firearms.
The part of the Darknet that DBI deals with, however, is deeper still. It gathers intelligence from invite-only and private forums where the real cybercriminal underground conducts its business.
DBI’s approach is in sharp contrast to the new entrant Darknet intelligence start-ups, which only scrape data off the open darknet forums. DBI is the only company offering cyberHUMINT operatives-for-hire, and it is employed by Fortune 500 companies, law enforcement, military, and intelligence agencies worldwide.
Alexander compared the environment on the Darknet to that of a prison gang ecosystem. New people on the Darknet are not seen as being part of the gangs. “They’re just outsiders looking around,” he said, and are always oblivious to the discussions that go on among the organizations running the show.
He said in these communities, DBI sees discussions on which government and business networks are being targeted, which ones have already been breached, and which ones have their data being sold to the highest bidders.
China’s State Hackers
When it comes to the Chinese Darknet, the more public forums are typically used by the less experienced hackers. The marketplaces operated by the state hackers are much more difficult to access.
Alexander said these hackers have told his operatives they’re state sponsored. “They tell us they work for China,” Alexander said.
The Darknet marketplaces used by China’s state hackers use a 3-step, invite-only process for access.
All would-be members need to be proposed by a known member to a site’s admins for approval. Step 2, is to be vouched for by at least 5 known and trusted darknet denizens of echelon status. Finally, every buyer needs to demonstrate they have at least $100,000 of bitcoin in a digital wallet, which the buyer proves they control. Only after passing the vetting process does a new member then get access to shop and interact with other members.
Most of their clients are representatives from nation-states, and Alexander said there are buyers from a surprisingly large number of countries on their markets, including Russia and Iran.
He said the Chinese state hackers will sell to “any country that has enough money to pay them for their services—this is about money,” yet noted they strictly do not sell to representatives from terrorist organizations.
Stolen data for anywhere up to $75,000. Access to a business or government network goes for around $100,000. And if the client wants to hire them to breach a specific target, Alexander said they charge no less than $1 million.
The Chinese hackers run the market as their side business, Alexander said. While breaching networks for their day jobs under the Chinese regime, they’ll often steal additional data they can sell on the black market.
MORE:You’re on File: Exclusive Inside Story on China’s Database of Americans
Chinese state hackers are often viewed as clumsy. During a segment on 60 Minutes in October 2014, FBI Director James Comey said “I liken them a bit to a drunk burglar. They’re kickin’ in the front door, knocking over the vase, while they’re walking out with your television set.”
Information from DBI shows a different picture. The Chinese state hackers breach networks under contract, steal what they were hired to steal, then take anything else they can sell on the side.
He also noted the hackers treat it like a business, noting “they’ll never resell the information.” It seems there is a kind of honor among these thieves.

Chinese cybercriminals are getting more organized, and are building a stronger presence on international markets and forums used by online criminals.
“China has long been home to a relatively robust and large underground cybercrime community within the Deep & Dark Web,” says a report released on Feb. 19 by Flashpoint, a Deep Web data and intelligence group.
The Deep Web is the unseen part of the Internet. A large portion of it is just code and data, other parts are defined more broadly as Web pages not searchable by Google or that are password protect.
But there’s another subset of the Deep Web, sometimes called the “DarkNet,” that is only accessible with specialized software. It’s a place where illicit markets sell everything from drugs to hitmen, and where cybercriminals often sell stolen data or buy new tools for their trade.
“The vast majority of mass retail business is conducted via automated shops and platforms designed to cater to a wide audience with little in the way of individual interaction between buyer and seller required,” the report says.
While Chinese cybercriminals have always had a strong pressence on the DarkNet, however, they used to lack structure, and their operations were comparatively less professional.
While cybercriminals elsewhere sometimes have full digital storefronts where they may sell stolen credit cards and data, the Chinese cybercriminals were often still using forms of direct communication for one-off deals.
They were often using tools like Baidu Tieba and QQ Messenger. This would be roughly equivalent to using Google Chat or Instant Messenger to sell stolen goods.
Sometimes they would even post advertisements for cybercrime on random forums, including places where people discuss real estate, video games, and entertainment.
“This stands in stark contrast to the high level of professionalism and maturity that characterizes the Russian underground economy, where one-on-one transactions are primarily reserved for significant sales,” the report says.
Over the last year, however, the operations of Chinese cybercriminals changed.
Researchers at Flashpoint monitoring Chinese cybercriminals on the Darknet throughout 2015 saw “increasing signs” that the Chinese cybercrime underground was maturing, and branching out internationally.
MORE:Next Targets for Chinese Hackers Could Be Agriculture and Alternative EnergyEXCLUSIVE: How Hacking and Espionage Fuel China’s Growth
Instead of building their own systems, the report says many Chinese cybercriminals started establishing themselves on forums and shops “within the Russian underground.”
The report notes that Chinese likely chose the Russian systems because their markets have comparatively loose standards. They usually accept registration from users who don’t speak Russian or English.
The new shift has only just started, but the Chinese joining the broader community of cybercriminals may bring about a more globalized structure for cybercrime.

An apparent copy of America’s top jet has been spotted via satellite sitting on Pucheng Neifu Airport, in Shaanxi province in central China.
The jet can be seen with liveuamap.com, which uses Google Maps, but doesn’t show up when viewed with Google Maps directly.
While the airport has no clear links to the People’s Liberation Army Air Force, Popular Mechanics notes that it’s located near the Xian Aeronautics Flight Experience Center, which doesn’t turn up any results when searched online.
What’s curious is that nearby are what appear to be replicas of other foreign military planes, including what looks like an American SR-71 Blackbird reconnaissance aircraft, and what looks like an American E-2 Hawkeye early warning aircraft.
Replicas of U.S. planes are seen on a Chinese airfield, including an E-2 Hawkeye (center, left) and a SR-71 Blackbird (center, right). (Google Maps)
The Chinese regime previously stole more than 50 terabytes of data from U.S. defense and government networks, revealed NSA documents disclosed in January 2015.
MORE:Chinese General Says ‘Contain the United States’ by Attacking Its FinancesInvestigative Report: A Hospital Built for Murder
Among files stolen were radar designs and engine schematics for the F-35. It also said China had compromised the weapons systems of the F-22.
It wasn’t clear if the Chinese hackers had obtained models for the complete versions of either aircraft, but several experts have noted some remarkable similarities between the F-35 and China’s J-20 fighter jet.

This news analysis was originally dispatched as part of Epoch Times China email newsletters. Subscribe to the newsletters by filling your email in the “China D-brief” box under this article.

Targets of major Chinese cyberattacks in 2015 could hint at what industries will be hit this year, according to a new report from cybersecurity company CrowdStrike.
Personal records of more than 22 million U.S. federal employees were stolen from the Office of Personnel Management, in a cyberattack announced in June 2015. It followed another attack on the Anthem health insurance company, where hackers stole close to 80 million records.
Hints at the new direction can be found in the Chinese Communist Party’s 13th Five-Year-Plan, which was released in November 2015 and should be finalized early this year.
“These plans typically provide a roadmap for what China will target using cyber means,” the report states.
The Chinese regime is trying to push out foreign technology, in favor of domestic technology, and is also trying to build a middle class.
“The combination of China becoming increasingly distrustful of western information technology and a desire to promote its own sectors of industrial manufacturing and retail may lead to a gradual tapering off of targeting against these sectors,” the report says.
It says Chinese hackers may instead focus on areas including agriculture, healthcare, and alternative energy, which “China deems crucial to promoting the wellbeing of its growing middle class, and where it has the most technological gaps.”
These would add to the list of industries the Chinese regime has already identified for theft. Under Project 863, Chinese hackers and spies target nine industries including biotechnology, information technology, automation, and telecommunications.
The U.S. Office of the National Counterintelligence Executive said in a 2011 report that Project 863 “provides funding and guidance for efforts to clandestinely acquire U.S. technology and sensitive economic information.”
The Chinese hackers may start broadening their nets as well. Instead of just going after intellectual property, the Crowdstrike report says they may go after basic know-how “such as building native supply chains and administrative expertise.”
I’ve reported previously that Chinese were already going after this type of information. They’re looking at everything from how companies are managed, to how they market their products.
It may now be even more so, however, since the Chinese regime is making a serious effort to push out foreign firms and take the place they once occupied.
MORE:Cyberattack From China Targets Epoch Times and New Tang Dynasty TelevisionCHINA SECURITY: Chinese Electronics Force You to Abide by Chinese Censorship
The report says we may also see some changes—at least in the short term—in how the Chinese hackers operate, since the Chinese regime is undergoing a structural shift, set to be completed by 2020.
Hackers in the Chinese military may see their new positions sooner. The report says, “cyber will likely be a priority due to China’s emphasis on winning informatized wars, meaning that the shift may be observed soonest in that arena.”
In the meantime, it says, some of the Chinese cyberattacks may be carried out by its civilian intelligence agencies and associated contractors—such as the Ministry of Public Security.